Brutkey

Marius Biebel
@mariuxdeangelo@infosec.exchange

I'm currently tinker around with #SBOM and check out different tooling to generate SBOMs. Here i focus on tools that generalize to not only one but lots of different programming languages and build systems. In this picture you see the dependencies shared between 14 different SBOMs i generated for Keycloak in different phases based on the sources, the release files and the docker container.
Best case would be that all generators in all phases found everything and we only see one big pile of dependencies. But actually the are scattered in lots of groups that are shared by some but not all generators. On the top right are the generators based on the sources (in green), on the button left are the generators based on container images (in blue) or sources (in orange).
Would love to know what you think about this. I implemented this as a web-based tool and generated SBOMs also for other projects. Feel free to check it out. https://sbom.seclab.cs.hm.edu/

Marius Biebel
@mariuxdeangelo@infosec.exchange

I'm currently tinker around with #SBOM and check out different tooling to generate SBOMs. Here i focus on tools that generalize to not only one but lots of different programming languages and build systems. In this picture you see the dependencies shared between 14 different SBOMs i generated for Keycloak in different phases based on the sources, the release files and the docker container.
Best case would be that all generators in all phases found everything and we only see one big pile of dependencies. But actually the are scattered in lots of groups that are shared by some but not all generators. On the top right are the generators based on the sources (in green), on the button left are the generators based on container images (in blue) or sources (in orange).
Would love to know what you think about this. I implemented this as a web-based tool and generated SBOMs also for other projects. Feel free to check it out. https://sbom.seclab.cs.hm.edu/